HTML-escape '"<>& and characters with
ASCII value less than 32, optionally strip or encode other special
characters.

FILTER_SANITIZE_FULL_SPECIAL_CHARS

"full_special_chars"

FILTER_FLAG_NO_ENCODE_QUOTES,

Equivalent to calling htmlspecialchars() with ENT_QUOTES set. Encoding quotes can
be disabled by setting FILTER_FLAG_NO_ENCODE_QUOTES. Like htmlspecialchars(), this
filter is aware of the default_charset and if a sequence of bytes is detected that
makes up an invalid character in the current character set then the entire string is rejected resulting in a 0-length string.
When using this filter as a default filter, see the warning below about setting the default flags to 0.

Do nothing, optionally strip or encode special characters. This
filter is also aliased to FILTER_DEFAULT.

Warning

When using one of these filters as a default filter either through your ini file
or through your web server's configuration, the default flags is set to
FILTER_FLAG_NO_ENCODE_QUOTES. You need to explicitly set
filter.default_flags to 0 to have quotes encoded by default. Like this:

Example #1 Configuring the default filter to act like htmlspecialchars

User Contributed Notes 9 notes

// Trim array values using this function "trim_value"function trim_value(&$value){$value = trim($value); // this removes whitespace and related characters from the beginning and end of the string}array_filter($_POST, 'trim_value'); // the data in $_POST is trimmed

$postfilter = // set up the filters to be used with the trimmed post arrayarray('user_tasks' => array('filter' => FILTER_SANITIZE_STRING, 'flags' => !FILTER_FLAG_STRIP_LOW), // removes tags. formatting code is encoded -- add nl2br() when displaying'username' => array('filter' => FILTER_SANITIZE_ENCODED, 'flags' => FILTER_FLAG_STRIP_LOW), // we are using this in the url'mod_title' => array('filter' => FILTER_SANITIZE_ENCODED, 'flags' => FILTER_FLAG_STRIP_LOW), // we are using this in the url);

$revised_post_array = filter_var_array($_POST, $postfilter); // must be referenced via a variable which is now an array that takes the place of $_POST[]echo (nl2br($revised_post_array['user_tasks'])); //-- use nl2br() upon output like so, for the ['user_tasks'] array value so that the newlines are formatted, since this is our HTML <textarea> field and we want to maintain newlines?>

It's not entirely clear what the LOW and HIGH ranges are. LOW is characters below 32, HIGH is those above 127, i.e. outside the ASCII range.

<?php$a = "\tcafé\n";//This will remove the tab and the line breakecho filter_var($a, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);//This will remove the é.echo filter_var($a, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);?>

Removing user html tags while maintaining text formatting such as newlines and carriage returns involves using the FILTER_SANITIZE_STRING filter ID with the flag !FILTER_FLAG_STRIP_LOW. The formatting text (the low ASCII values under decimal 32) are encoded because of the included FILTER_FLAG_ENCODE_LOW flag, but you are now preventing these from being removed. When you want to display the value on the page back in its intended format, use nl2br() so the encoded newlines are formatted properly on the page.

This example cleans $_POST data from a textarea field with the name "user_tasks" on a previous html form, stripping tags but maintaining formatting (at least for newlines):

$revised_post_array = filter_input_array(INPUT_POST, $postfilter); // must be referenced via a variable which is now an array that takes the place of $_POST[]echo (nl2br($revised_post_array['user_tasks'])); // here we use nl2br() for the displayed value, for the ['user_tasks'] array value so that the newlines are formatted?>

Beware that FILTER_FLAG_STRIP_LOW strips NEWLINE and TAG and CARRIAGE RETURN chars. If you have a form that accepts user input in plaintext format, all the submitted text will lose all the line breaks, making it appear all on one line. This basically renders this filter useless for parsing user-submitted text, even in plain text.